Skip navigation
Cisco Learning Home > Connections > Discussions


This Question is Answered 2 Helpful Answers available (2 pts)
12355 Views 9 Replies Latest reply: Apr 21, 2012 2:51 AM by Shaun RSS

Currently Being Moderated

Can't telnet to cisco router from outside network. Inside works fine

Apr 6, 2009 5:49 PM

ejeangilles 18 posts since
Jan 4, 2009


Hello all!



I have aproblem that I'm just stuck on. I have a practice lab in my network with an access server. I have comcast and a linksys router as my firewall. I have been doing port forwarding for some time to access my computers such as rdp, ftp, etc so i'm familiar with it. I can't seem to telnet to my cisco router from the outside I have dyndns setup and its been working fine. I can't telnet wheher its by domain name or IP address. I opened ports 23 on my router and that doesn't work. I can telnet internally to my router just fine but not externally. This router has IOS 12.4 enterprise. Any help would be appreciated!!



  • buemae 5 posts since
    Jul 13, 2008

    Do you have a route to get out of your home network?

  • Paul Stewart  -  CCIE Security, CCSI 6,989 posts since
    Jul 18, 2008


    Most routers can redirect from one port on the outside to another port on the inside. The configuration should be pretty obvious, so if it isn't you may have to look it up on your particular router. To change it on the cisco, you would have to use the rotary command under "line VT 0 4". I am pretty sure this will not disable the original telnet port, but will allow you to also telnet to it on port 3000 + the rotary number. See example below.






    Like the other poster said, make sure your Cisco router has access to the internet first (check the basics). If it does not have a default route, it cannot return the telnet traffic to the outside telnet client.






    For example:



    line VT 0 4



    rotary 33






    This would make your router listen also on port 3033.









  • Melih Kulig 30 posts since
    Mar 31, 2009


    I have the same setup with SSH, I'll list what I did and what I'd recommend to avoid problems.



    - Security first, set up SSH if possible. Set up a static IP address on the interface of your access server that's within the same network range of your linksys router. This is most likely - 255. Pick up a higher address so it won't be used by DHCP clients.



    - Pick up a high port number, 5000, 10000, something you like that won't be easy to figure out, and use that as port to be redirected, and forward it to your access server's IP address, port 23 TCP for telnet, 22 TCP for SSH . You don't need to change port numbers on your access server, linksys routers should be able to handle this forwarding without problems. If your linksys model doesn't support this, there's always DD-WRT firmware.



    - Everyone said this already, but don't forget to set a default route on your access server. I disabled IP routing and set it up with ip default-gateway command, but ip route all-zeros should work just fine as well.



    - If it still doesn't work, then it's time to debug ip packets on your access server to see if it's even receiving anything when you telnet from outside. First time I was setting it, I had forgotten to set the default route, so an unroutable message helped me realize my mistake. Hopefully these should solve your problem.



  • Paul Stewart  -  CCIE Security, CCSI 6,989 posts since
    Jul 18, 2008

    Good deal; glad it is working for you. It's funny how it is often the simple things that we overlook.

  • Shaun 2 posts since
    Jul 14, 2011

    Hi Paul,




    I've got the same problem except I can't get telnet or SSH to work from the outside, most of the time.




    We have Cisco 877s using c870-advipservicesk9-mz.124-24.T7.bin on ROM 12.3(8r)YI6




    Both of the effected Cisco’s are using the above IOS\ROM, you can't connect using the dialler interface IP address (DSL) but you can connect if you use one of the IP addresses in the routed subnet range which routes to the dialler interface IP. There are no problems with telnet or SSH from inside the LAN on the Ethernet interfaces. I've completely gutted the configuration and replaced it with a config that I know works on another site for telnet on the dialler interface; they also have a routed subnet.




    I've run a debug on telnet but when you telnet to the dialler interface from the outside you get connection refused and the Cisco doesn't log the fact that I've tried to telnet. Interestingly if I run a debug on TCP and do the same I can see the connection coming in on port 23, but the Cisco responds with an RST; the same is true for SSH.




    If we change the dialler interface IP address to static rather than negotiated it works, we can telnet\SSH from the outside on the IP address of the dialler interface. If we revert back to IP address negotiated, then restart the dialler interface it still works and appears to be fixed. Yet, once the Cisco has been rebooted despite the configuration being saved we can no longer telnet\SSH from the outside on the IP address of the dialler interface. If we repeat this process, we can no longer telnet\SSH from the outside on the IP address of the dialler interface during any part of the process.




    During all my testing I've set my access-list for telnet\SSH to allow from any source.


    I’ve also used the rotary command to listen on different ports, but this makes no change and I’m running out of ideas. Could it be a problem with the IOS?

  • Shaun 2 posts since
    Jul 14, 2011

    To give you a better idea of the problem, here is what we see when we connect using Telnet (in this case I've added the rotary line 1).


    The first example shows a connection being made on the ethernet interface.


            DATA 253 ACK 159679119 PSH  WIN 64939

    *Oct 17 22:38:11.600: tcp0: I LISTEN seq 365991179

            OPTS 8 SYN  WIN 8192

    *Oct 17 22:38:11.600: tcp0: O SYNRCVD seq 2807504701

            OPTS 8 ACK 365991180 SYN  WIN 65535

    *Oct 17 22:38:11.604: tcp0: I SYNRCVD seq 365991180

            ACK 2807504702  WIN 17520

    *Oct 17 22:38:11.604: tcp3: O ESTAB seq 2807504702

            DATA 12 ACK 365991180 PSH  WIN 65535

    *Oct 17 22:38:11.608: tcp3: O ESTAB seq 2807504714

            DATA 560 ACK 365991180  WIN 65535

    *Oct 17 22:38:11.612: tcp3: O ESTAB seq 2807505274

            DATA 274 ACK 365991180 PSH  WIN 65535

    *Oct 17 22:38:11.612: tcp3: O ESTAB seq 2807505548

            DATA 42 ACK 365991180 PSH  WIN 65535

    *Oct 17 22:38:11.616: tcp3: I ESTAB seq 365991180

            DATA 3 ACK 2807504714 PSH  WIN 17508

    *Oct 17 22:38:11.616: tcp3: I ESTAB seq 365991183



    This is what we see when we connect on the dialler interface.


            ACK 893100756  WIN 16774

    *Oct 17 22:40:01.209: tcp0: I LISTEN 4x.xx.81.8:36354 4x.xx.84.3:3001 seq 2640912120

            OPTS 4 SYN  WIN 4128

    *Oct 17 22:40:01.213: TCP: sent RST to 4x.xx.81.8:36354 from 4x.xx.84.3:3001




    We can see that the Cisco is configured to listen on all interfaces.


    Active internet connections (servers and established)

    Prot               Local Address             Foreign Address                  Service   State

    tcp                        *:23                         *:0                   Telnet   LISTEN

    tcp                        *:23                    Telnet ESTABLIS

    udp                        *:67                         *:0            DHCPD Receive   LISTEN


More Like This

  • Retrieving data ...

Bookmarked By (0)